Table of contents

“One of Smarty’s primary design goals is to facilitate the separation of application code from presentation. Typically, the application code contains the business logic of your application, written and maintained in PHP code. This code is maintained by programmers. The presentation is the way your content is presented to the end user, which is written and maintained in template files. The Templates are maintained by template designers.”

Smarty is a “Template/Presentation Framework.” It provides the designer with the opportunity to change the presentation of a website by defining variables and using logic (If/else) statements. It can be used for example to create WYSIWYCA (“what you see is what you can access”) websites which show or hide things depending on permissions variables.

Default Templates and Custom Templates

The default Smarty template files are in the folder /Templates as .tpl files. They can be edited with any text editor, but it is best to not edit the default version of these templates.

Since Tiki 15, if you want to modify a template, copy it and put the copy in the custom theme directory, e.g. themes /custom_theme_name/templates (it was /templates/styles/custom_theme_name/ prior to Tiki 15).

Escaping variables used in Smarty

When modifying templates, it is important to check that variables that display output on screen be escaped except in certain circumstances, to act as a safeguard agains unfiltered user input being displayed back on the page. The question is when to escape and when not to escape? See http://www.smarty.net/docs/en/language.modifier.escape.tpl

If the output of your template will be used in another template as a variable that will be escaped there, then there is no need to escape it the first time as it will lead to double escaping.

If the variable is expected to possibly contain HTML, then it cannot be escaped otherwise the HTML will be displayed as text on screen. In those cases, it is the responsibility of the code that generated the HTML (e.g. the wiki parser to ensure that the HTML output is filtered), and the code of the input user interface to perform filtering in case any user enters any HTML - only trusted users should be allowed to enter any HTML).

If the variable is used for redisplaying what the user entered in an input text field, then it cannot be escaped otherwise it will lead to double escaping the next time the user submits the form.

In all other cases, the variable should be escaped using the escape variable.